paper-poster-html

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly does live fetches at runtime for venue specs ("consult the venue's official poster‑instructions page" — arbitrary https://... URLs fetched and recorded into POSTER_STATE.json) and also may load MathJax from a CDN (tex‑svg.js, e.g. a script URL such as a MathJax CDN like https://cdn.jsdelivr.net/npm/mathjax/.../tex-svg.js) while Playwright renders pages; both are runtime-fetched external resources that (a) are required for correct gating (canvas dimensions / equation rendering) and (b) execute remote code or directly control agent decisions, so they present a real runtime external-dependency risk.